Last week we wrote a blog about a specific Facebook scam that appeared to spread rather aggresively. We have decided to nickname the scam "Jacked frost". The Websense® ThreatSeeker™ network detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat.

Bitcoin is a peer-to-peer currency exchange system that features a predictable currency rate. The generation of Bitcoin currency is controlled by an algorithm created by Japanese researcher Satoshi Nakamoto in 2008. Bitcoin system users are essentially "mining" for Bitcoins using their computers CPU power. Today, because of the intrinsic characteristics of the Bitcoin-generating algorithm, calculating new "coins" in a reasonable amount of time without the use of distributed computing power is very difficult. It's important to remember that Bitcoins are like real money and can be exchanged for real money. During a recent investigation, we encountered a new trend in the landscape of monetization techniques which can be triggered by the Black Hat SEO (BHSEO) poisoning campaign. What happens when BHSEO specialists meet a service offered, for example, by BitcoinPlus which is used for mining Bitcoins? Well, we should never underestimate the cleverness and the imagination of cyber criminals. Specifically, we have encountered the presence of an array of Websites that have been setup for BHSEO purposes and that are used for Bitcoin mining. Basically, this is the goal of BHSEO poisoning: reach a user for malicious purposes when that user is looking for something via a search engine.There are many ways to create a BHSEO campaign (or structure). The one most often used consists of creating and renaming a Website HTML page to be a popular keyword. So a global celebrity gossip news item can be a gold mine for anyone who wants to build a BHSEO campaign. This technique is frequently used to spread malware or some other kind of malicious content. BitcoinPlus offers a service which allows a registered user to mine "coins" using some JavaScript that is added to their Website. This essentially means that the computer's CPU power of any visitor of such Website will be used to generate Bitcoins for the Bitcoin account owner. The code, provided by BitCoinPlus, is shown in the following screen shot, this is the code that is included in the BHSEO Website to generate Bitcoins: Essentially the code requires the support of the minimal jQuery library, the call to the mining JavaScript code, and the registration of the BitcoinPlus user account. The following Java applet shows the miner.js call: A brief analysis of this JAR file shows the code that calculates the amount of time necessary for any Web client visit to mine Bitcoins, as shown in the following code snippet: Up to this point, nothing illegal has happened. But what would happen if this script is used for malicious intent? During our analysis using the Websense ThreatSeeker ™ Network, we detected several Websites setup with the JavaScript snippet shown above. The screenshot below shows some of the Websites that are part of the BHSEO campaign, explained earlier in this blog: The keywords relate to a variety of topics: adult content, electronic devices, hacking, software, and so...(read more)
Read more »